Network Scan and Attack Vector

Fri, 06 Aug 2021 21:45:48

Unknown Device URL: http://192.168.10.1 Path: 192.168.10.1 Ports: PORT STATE SERVICE 80/tcp filtered http Pwnd: False Notes: Drobo 5n2 URL: http://192.168.10.137 Path: 192.168.10.137 Ports: PORT STATE SERVICE 80/tcp closed http 139/tcp open netbios-ssn 445/tcp open microsoft-ds 548/tcp open afp 5000/tcp open upnp 5001/tcp open commplex-link Pwnd: False Notes: Not shown: 995 closed ports Asus RT N53 URL: http://192.…

Creston Airmedia

Sat, 01 May 2021 14:01:13

Device Location: 192.168.10.177 Exploits: https://www.exploit-db.com/exploits/46786 ports: 80, 443

Pihole

Sat, 01 May 2021 14:01:03

Challenge Submit the contents of flag.txt, found in USB storage on the device. Device Location: 192.168.10.172 Ports: 22, 80 Admin interface: https://192.168.10.172/admin Possible Exploit https://frichetten.com/blog/cve-2020-11108-pihole-rce/

Pivot Notes

Sat, 01 May 2021 14:00:51

When looking through the Control4 machine, we noticed that the IP address range it is on is not in the 192.168.10.0/24 subnet. It is actually in the 172.16.10.0/24 network. ifconfig eth0 Link encap:Ethernet HWaddr 00:0F:FF:13:D6:1A inet addr:172.16.10.4 Bcast:172.16.10.255 Mask:255.255.255.0 UP BROADCAST NOTRAILERS RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1 RX packets:122800 errors:0 dropped:0 overruns:0 frame:0 TX packets:119369 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:35281332 (33.6 MiB) TX bytes:32480603 (30.9 MiB) Interrupt:13 lo Link encap:Local Loopback inet addr:127.…

Control4 Flag 2

Sat, 24 Apr 2021 12:45:27

Challenge Submit the contents of flag.txt, found in USB storage on the device. Device Control4 Device Location: 192.168.10.174 Port: A bunch Exploit: Default SSH credentials Getting the flag Look through USB devices. didn’t find anything. ~# cd /mnt/media/usb/ /mnt/internal/usb# ls Looking for USB devices ~# dmesg | grep usb <6>[42949373.260000] usbcore: registered new interface driver usbfs <6>[42949373.260000] usbcore: registered new interface driver hub <6>[42949373.260000] usbcore: registered new device driver usb <6>[42949373.…

Firmware Analysis

Sat, 24 Apr 2021 10:15:52

Challenge Who knew embedded web servers ran php natively? And it’s easy to read! Or is it?! NOTE find the function mb_version(). Ensure you have a clean text file with ONLY this function (no unreadable/gibberish chars) and use the md5sum as the flag. Cursory look Looking at the provided file, we extracted it and started looking through the contents of this file. It was a root filesystem for a linux machine.…

Iotvillage CTF Network Scan

Sat, 24 Apr 2021 10:14:52

Running tried and true nmap. sudo nmap 192.168.10.0/24 Output Nmap scan report for 192.168.10.172 Host is up (0.095s latency). Not shown: 998 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap scan report for 192.168.10.173 Host is up (0.096s latency). Not shown: 994 closed ports PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds 548/tcp open afp 5000/tcp open upnp 5001/tcp open commplex-link 8383/tcp open m2mservices Nmap scan report for 192.…

Mosquitto Flag 2

Sat, 24 Apr 2021 09:41:43

Challenge See if you have the patience to scratch the itch; patience is key. Mosquitto bites are so annoying! Except, in this case.. you can become an admin. Connect at: x.x.x.x:1883 using iot:iot Web Portal: http://x.x.x.x Solve Look at the new Mosquitto server, connecting using the following command mosquitto_sub -h x.x.x.x -p 1883 -u iot -P iot -t "#" Grab the text that looks like a flag. Base64 decode the username and password.…

Black Box 1 Flag Writeup

Sat, 08 Aug 2020 13:29:43

Previous Exploit Doing a search of Control 4 C4-HC250-BL + exploit in Google netted us with the default password used to exploit. http://www.davidsonfamily.ca/discussion-board/topic/logging-into-controller/ Black Box 1 Flag I noticed there was a Black Box Challenge for Control 4, which we previously exploited. With the password we previously used, we could ssh into the ip to access the directory: /etc/init.d/c4server. We took the MD5 sum of /etc/init.d/c4server to retrieve the flag.

Control4 Flag

Sat, 08 Aug 2020 13:22:15

After doing some research on the control4 product, we found that there is a default root password. user password root t0talc0ntr0l4! Getting the flag The flag is located on the SD card, so we go look in /mnt/sd/ $ cd /mnt/sd/ $ ls Flag.txt flash lost+found We found the flag, and now we can cat it out and capture it.